Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A new and stealthy backdoor named Mistic has been quietly targeting corporate networks since April 2026, disguising itself using the names and appearance of legitimate Microsoft endpoint security components. <\/p>\n
This clever camouflage helps it avoid detection, allowing attackers to maintain a persistent, low-profile foothold inside compromised environments. Security teams across multiple industries are now on alert as incidents continue to emerge.<\/p>\n
Mistic has hit organizations in insurance, education, information technology, and professional services. The attacks are opportunistic in nature, meaning the group casts a wide net and evaluates which compromised networks are worth selling access to. <\/p>\n
That access is then offered to ransomware affiliates and other criminal groups who pay for a ready-made entry point into enterprise systems.<\/p>\n
Analysts from Symantec identified the threat and connected it to a financially motivated cybercrime group tracked as Woodgnat, also known as KongTuke. <\/p>\n
According to Symantec\u00a0report\u00a0shared<\/a> with Cyber Security News (CSN), the Symantec Threat Hunter Team found Mistic deployed alongside ModeloRAT, a remote access tool tied to attacks involving Qilin, Akira, Rhysida, Black Basta, Interlock, and 8Base.<\/a><\/p>\n Mistic was first publicly documented by Zscaler, which tracks it as MLTBackdoor. Symantec\u2019s investigation went deeper, tying the backdoor more firmly to Woodgnat\u2019s expanding toolkit and confirming its role in a broader criminal supply chain. <\/p>\n The group\u2019s goal is not to launch the final attack itself but to sell high-value access to others who will.<\/a><\/p>\n What makes Mistic especially dangerous is how well it hides. It runs entirely in memory with no files written to disk, and it carries a built-in kill switch that lets it erase itself when no longer needed. <\/p>\n These traits make it extremely difficult to detect and allow attackers to operate quietly inside a network for extended periods.<\/a><\/p>\n Mistic reaches its target through a technique known as DLL sideloading<\/a>, where a legitimate executable is manipulated into loading a malicious file. <\/p>\n In investigated attacks, a legitimate Microsoft file called MpExtMs.exe was used to sideload a malicious DLL named EndpointDlp.dll, a name directly associated with Microsoft endpoint security tooling. <\/p>\n This naming choice helps the backdoor appear like trusted software running in the background.<\/a><\/p>\n A loader called version.dll sits in the middle of this process. It hooks two Windows functions, GetModuleFileNameW and LoadLibraryW, directing execution toward the malicious DLL while keeping normal appearances intact. <\/p>\n A separate .NET DLL was also deployed as a credential stealer, displaying a fake login screen to harvest user passwords from unsuspecting victims.<\/a><\/p>\n Beyond hiding well, Mistic is highly capable. It can upload and download files, move or delete data, create folders, run remote code in memory, and adjust its check-in frequency with the attacker\u2019s command-and-control server. This gives operators strong control over any network they manage to infiltrate.<\/a><\/p>\n Woodgnat has been active since at least May 2024 and has steadily refined its attack methods. The group compromises WordPress sites and injects JavaScript to profile visitors before pushing social engineering<\/a> lures that trick users into running malicious commands. <\/p>\n These lures have evolved through ClickFix and FileFix tactics to a newer approach called CrashFix, which crashes a victim\u2019s browser and presents a fake fix that installs malware.<\/a><\/p>\n Since April 2026, Woodgnat has also been using fake IT helpdesk scenarios through Microsoft Teams chats to push users into running PowerShell commands. <\/p>\n Once executed, a script chain downloads a portable Python environment and launches ModeloRAT, after which attackers conduct deep reconnaissance, harvest credentials, and set up multiple persistence paths. <\/p>\n This layered approach makes the group difficult to fully remove even after initial discovery.<\/a><\/p>\n Security researchers recommend monitoring for unusual DLL sideloading activity, especially when legitimate Microsoft executables load unexpected files. <\/p>\n Organizations should also watch for suspicious use of built-in Windows tools such as curl.exe, certutil, WMIC, and PowerShell in contexts outside normal operations. <\/p>\n Tuning endpoint detection toward in-memory execution<\/a> and tracking abnormal network behavior remain among the most practical defenses against this threat.<\/a><\/p>\n Note:<\/strong>\u00a0IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em> Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n The post Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMistic Backdoor Blends With Microsoft Endpoint Security Tooling<\/strong><\/h2>\n
Woodgnat\u2019s Expanding Attack Playbook<\/strong><\/h2>\n
Indicators of Compromise (IoCs):-<\/strong><\/h2>\n
\n\n
\n \nType<\/th>\n Indicator<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n File Hash (SHA-256)<\/td>\n 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984<\/code><\/td>\nBackdoor.Mistic \u2013 endpointdlp.dll<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n 34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc<\/code><\/td>\nFake lockscreen \u2013 f.dll<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be<\/code><\/td>\nBackdoor.Mistic \u2013 aeff97fe.msi<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712<\/code><\/td>\nLoader for backdoor \u2013 version.dll<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n 8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235<\/code><\/td>\nLikely privilege escalation \u2013 n.dll<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c<\/code><\/td>\nBackdoor.Mistic \u2013 endpointdlp.dll<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5<\/code><\/td>\nBackdoor.Mistic \u2013 endpointdlp.dll<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e<\/code><\/td>\nBackdoor.Mistic \u2013 48b47c0.msi<\/td>\n<\/tr>\n \n File Hash (SHA-256)<\/td>\n fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a<\/code><\/td>\nBackdoor.Mistic \u2013 endpointdlp.dll<\/td>\n<\/tr>\n \n IP Address<\/td>\n 142.93.242.144<\/code><\/td>\nC2 network indicator<\/td>\n<\/tr>\n \n IP Address<\/td>\n 144.31.53.78<\/code><\/td>\nC2 network indicator<\/td>\n<\/tr>\n \n IP Address<\/td>\n 198.13.159.44<\/code><\/td>\nC2 network indicator<\/td>\n<\/tr>\n \n IP Address<\/td>\n 199.91.221.42<\/code><\/td>\nC2 network indicator<\/td>\n<\/tr>\n \n Domain<\/td>\n authorized-logins.net<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n b6w9m2z5x8q1v3k.top<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n carrolc.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n cj06y9v4xab.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n cwrtwright.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n defs.updater-worelos.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n ftps.upd-domain-goloro.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n grande-luna.top<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n URL<\/td>\n hxxp:\/\/thomphon.com\/update.msi<\/code><\/td>\nMalware delivery URL<\/td>\n<\/tr>\n \n Domain<\/td>\n human-check.top<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n mail.authorized-logins.net<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n mailes.upd-domain-goloro.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n mails.updater-worelos.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n mueleer.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n nano.upscale-kolo.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n oeannon.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n php.authorized-logins.net<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n rotoa-upda-lo.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n sql-updater-service.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n sss.authorized-logins.net<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n thomphon.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n upd-domain-goloro.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n update.update-fall.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n updater-worelos.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n upscale-kolo.com<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n \n Domain<\/td>\n w3xasv14culvnqj.top<\/code><\/td>\nMalicious C2 domain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n [.]<\/em><\/code>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n